Home Explore Help
Register Sign In
libreCMC
/
libreCMC
17
18
Fork 12
Files Issues 59 Pull Requests 3 Wiki
Tree: 9003a2e19e
Branches Tags
libreCMC
/
target
/
linux
/
generic
/
backport-4.14
/
335-v4.16-netfilter-nf_tables-add-single-table-list-for-all-fa.patch

335-v4.16-netfilter-nf_tables-add-single-table-list-for-all-fa.patch 43 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450 
  1. From: Pablo Neira Ayuso <pablo@netfilter.org>
    2. 

  2. Date: Tue, 9 Jan 2018 02:38:03 +0100
    3. 

  3. Subject: [PATCH] netfilter: nf_tables: add single table list for all families
    4. 

  4. 

  5. Place all existing user defined tables in struct net *, instead of
    6. 

  6. having one list per family. This saves us from one level of indentation
    7. 

  7. in netlink dump functions.
    8. 

  8. 

  9. Place pointer to struct nft_af_info in struct nft_table temporarily, as
    10. 

  10. we still need this to put back reference module reference counter on
    11. 

  11. table removal.
    12. 

  12. 

  13. This patch comes in preparation for the removal of struct nft_af_info.
    14. 

  14. 

  15. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    16. 

  16. ---
    17. 

  17. 

  18. --- a/include/net/netfilter/nf_tables.h
    19. 

  19. +++ b/include/net/netfilter/nf_tables.h
    20. 

  20. @@ -145,22 +145,22 @@ static inline void nft_data_debug(const
    21. 

  21.   *	struct nft_ctx - nf_tables rule/set context
    22. 

  22.   *
    23. 

  23.   *	@net: net namespace
    24. 

  24. - * 	@afi: address family info
    25. 

  25.   * 	@table: the table the chain is contained in
    26. 

  26.   * 	@chain: the chain the rule is contained in
    27. 

  27.   *	@nla: netlink attributes
    28. 

  28.   *	@portid: netlink portID of the original message
    29. 

  29.   *	@seq: netlink sequence number
    30. 

  30. + *	@family: protocol family
    31. 

  31.   *	@report: notify via unicast netlink message
    32. 

  32.   */
    33. 

  33.  struct nft_ctx {
    34. 

  34.  	struct net			*net;
    35. 

  35. -	struct nft_af_info		*afi;
    36. 

  36.  	struct nft_table		*table;
    37. 

  37.  	struct nft_chain		*chain;
    38. 

  38.  	const struct nlattr * const 	*nla;
    39. 

  39.  	u32				portid;
    40. 

  40.  	u32				seq;
    41. 

  41. +	u8				family;
    42. 

  42.  	bool				report;
    43. 

  43.  };
    44. 

  44.  
    45. 

  45. @@ -947,6 +947,7 @@ unsigned int nft_do_chain(struct nft_pkt
    46. 

  46.   *	@use: number of chain references to this table
    47. 

  47.   *	@flags: table flag (see enum nft_table_flags)
    48. 

  48.   *	@genmask: generation mask
    49. 

  49. + *	@afinfo: address family info
    50. 

  50.   *	@name: name of the table
    51. 

  51.   */
    52. 

  52.  struct nft_table {
    53. 

  53. @@ -959,6 +960,7 @@ struct nft_table {
    54. 

  54.  	u32				use;
    55. 

  55.  	u16				flags:14,
    56. 

  56.  					genmask:2;
    57. 

  57. +	struct nft_af_info		*afi;
    58. 

  58.  	char				*name;
    59. 

  59.  };
    60. 

  60.  
    61. 

  61. @@ -968,13 +970,11 @@ struct nft_table {
    62. 

  62.   *	@list: used internally
    63. 

  63.   *	@family: address family
    64. 

  64.   *	@owner: module owner
    65. 

  65. - *	@tables: used internally
    66. 

  66.   */
    67. 

  67.  struct nft_af_info {
    68. 

  68.  	struct list_head		list;
    69. 

  69.  	int				family;
    70. 

  70.  	struct module			*owner;
    71. 

  71. -	struct list_head		tables;
    72. 

  72.  };
    73. 

  73.  
    74. 

  74.  int nft_register_afinfo(struct net *, struct nft_af_info *);
    75. 

  75. --- a/include/net/netns/nftables.h
    76. 

  76. +++ b/include/net/netns/nftables.h
    77. 

  77. @@ -8,6 +8,7 @@ struct nft_af_info;
    78. 

  78.  
    79. 

  79.  struct netns_nftables {
    80. 

  80.  	struct list_head	af_info;
    81. 

  81. +	struct list_head	tables;
    82. 

  82.  	struct list_head	commit_list;
    83. 

  83.  	struct nft_af_info	*ipv4;
    84. 

  84.  	struct nft_af_info	*ipv6;
    85. 

  85. --- a/net/netfilter/nf_tables_api.c
    86. 

  86. +++ b/net/netfilter/nf_tables_api.c
    87. 

  87. @@ -37,7 +37,6 @@ static LIST_HEAD(nf_tables_flowtables);
    88. 

  88.   */
    89. 

  89.  int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
    90. 

  90.  {
    91. 

  91. -	INIT_LIST_HEAD(&afi->tables);
    92. 

  92.  	nfnl_lock(NFNL_SUBSYS_NFTABLES);
    93. 

  93.  	list_add_tail_rcu(&afi->list, &net->nft.af_info);
    94. 

  94.  	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
    95. 

  95. @@ -99,13 +98,13 @@ static void nft_ctx_init(struct nft_ctx
    96. 

  96.  			 struct net *net,
    97. 

  97.  			 const struct sk_buff *skb,
    98. 

  98.  			 const struct nlmsghdr *nlh,
    99. 

  99. -			 struct nft_af_info *afi,
    100. 

  100. +			 u8 family,
    101. 

  101.  			 struct nft_table *table,
    102. 

  102.  			 struct nft_chain *chain,
    103. 

  103.  			 const struct nlattr * const *nla)
    104. 

  104.  {
    105. 

  105.  	ctx->net	= net;
    106. 

  106. -	ctx->afi	= afi;
    107. 

  107. +	ctx->family	= family;
    108. 

  108.  	ctx->table	= table;
    109. 

  109.  	ctx->chain	= chain;
    110. 

  110.  	ctx->nla   	= nla;
    111. 

  111. @@ -429,30 +428,31 @@ static int nft_delflowtable(struct nft_c
    112. 

  112.   * Tables
    113. 

  113.   */
    114. 

  114.  
    115. 

  115. -static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
    116. 

  116. +static struct nft_table *nft_table_lookup(const struct net *net,
    117. 

  117.  					  const struct nlattr *nla,
    118. 

  118. -					  u8 genmask)
    119. 

  119. +					  u8 family, u8 genmask)
    120. 

  120.  {
    121. 

  121.  	struct nft_table *table;
    122. 

  122.  
    123. 

  123. -	list_for_each_entry(table, &afi->tables, list) {
    124. 

  124. +	list_for_each_entry(table, &net->nft.tables, list) {
    125. 

  125.  		if (!nla_strcmp(nla, table->name) &&
    126. 

  126. +		    table->afi->family == family &&
    127. 

  127.  		    nft_active_genmask(table, genmask))
    128. 

  128.  			return table;
    129. 

  129.  	}
    130. 

  130.  	return NULL;
    131. 

  131.  }
    132. 

  132.  
    133. 

  133. -static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
    134. 

  134. +static struct nft_table *nf_tables_table_lookup(const struct net *net,
    135. 

  135.  						const struct nlattr *nla,
    136. 

  136. -						u8 genmask)
    137. 

  137. +						u8 family, u8 genmask)
    138. 

  138.  {
    139. 

  139.  	struct nft_table *table;
    140. 

  140.  
    141. 

  141.  	if (nla == NULL)
    142. 

  142.  		return ERR_PTR(-EINVAL);
    143. 

  143.  
    144. 

  144. -	table = nft_table_lookup(afi, nla, genmask);
    145. 

  145. +	table = nft_table_lookup(net, nla, family, genmask);
    146. 

  146.  	if (table != NULL)
    147. 

  147.  		return table;
    148. 

  148.  
    149. 

  149. @@ -551,7 +551,7 @@ static void nf_tables_table_notify(const
    150. 

  150.  		goto err;
    151. 

  151.  
    152. 

  152.  	err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
    153. 

  153. -					event, 0, ctx->afi->family, ctx->table);
    154. 

  154. +					event, 0, ctx->family, ctx->table);
    155. 

  155.  	if (err < 0) {
    156. 

  156.  		kfree_skb(skb);
    157. 

  157.  		goto err;
    158. 

  158. @@ -568,7 +568,6 @@ static int nf_tables_dump_tables(struct
    159. 

  159.  				 struct netlink_callback *cb)
    160. 

  160.  {
    161. 

  161.  	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
    162. 

  162. -	const struct nft_af_info *afi;
    163. 

  163.  	const struct nft_table *table;
    164. 

  164.  	unsigned int idx = 0, s_idx = cb->args[0];
    165. 

  165.  	struct net *net = sock_net(skb->sk);
    166. 

  166. @@ -577,30 +576,27 @@ static int nf_tables_dump_tables(struct
    167. 

  167.  	rcu_read_lock();
    168. 

  168.  	cb->seq = net->nft.base_seq;
    169. 

  169.  
    170. 

  170. -	list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
    171. 

  171. -		if (family != NFPROTO_UNSPEC && family != afi->family)
    172. 

  172. +	list_for_each_entry_rcu(table, &net->nft.tables, list) {
    173. 

  173. +		if (family != NFPROTO_UNSPEC && family != table->afi->family)
    174. 

  174.  			continue;
    175. 

  175.  
    176. 

  176. -		list_for_each_entry_rcu(table, &afi->tables, list) {
    177. 

  177. -			if (idx < s_idx)
    178. 

  178. -				goto cont;
    179. 

  179. -			if (idx > s_idx)
    180. 

  180. -				memset(&cb->args[1], 0,
    181. 

  181. -				       sizeof(cb->args) - sizeof(cb->args[0]));
    182. 

  182. -			if (!nft_is_active(net, table))
    183. 

  183. -				continue;
    184. 

  184. -			if (nf_tables_fill_table_info(skb, net,
    185. 

  185. -						      NETLINK_CB(cb->skb).portid,
    186. 

  186. -						      cb->nlh->nlmsg_seq,
    187. 

  187. -						      NFT_MSG_NEWTABLE,
    188. 

  188. -						      NLM_F_MULTI,
    189. 

  189. -						      afi->family, table) < 0)
    190. 

  190. -				goto done;
    191. 

  191. +		if (idx < s_idx)
    192. 

  192. +			goto cont;
    193. 

  193. +		if (idx > s_idx)
    194. 

  194. +			memset(&cb->args[1], 0,
    195. 

  195. +			       sizeof(cb->args) - sizeof(cb->args[0]));
    196. 

  196. +		if (!nft_is_active(net, table))
    197. 

  197. +			continue;
    198. 

  198. +		if (nf_tables_fill_table_info(skb, net,
    199. 

  199. +					      NETLINK_CB(cb->skb).portid,
    200. 

  200. +					      cb->nlh->nlmsg_seq,
    201. 

  201. +					      NFT_MSG_NEWTABLE, NLM_F_MULTI,
    202. 

  202. +					      table->afi->family, table) < 0)
    203. 

  203. +			goto done;
    204. 

  204.  
    205. 

  205. -			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
    206. 

  206. +		nl_dump_check_consistent(cb, nlmsg_hdr(skb));
    207. 

  207.  cont:
    208. 

  208. -			idx++;
    209. 

  209. -		}
    210. 

  210. +		idx++;
    211. 

  211.  	}
    212. 

  212.  done:
    213. 

  213.  	rcu_read_unlock();
    214. 

  214. @@ -632,7 +628,8 @@ static int nf_tables_gettable(struct net
    215. 

  215.  	if (IS_ERR(afi))
    216. 

  216.  		return PTR_ERR(afi);
    217. 

  217.  
    218. 

  218. -	table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
    219. 

  219. +	table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], afi->family,
    220. 

  220. +				       genmask);
    221. 

  221.  	if (IS_ERR(table))
    222. 

  222.  		return PTR_ERR(table);
    223. 

  223.  
    224. 

  224. @@ -763,7 +760,7 @@ static int nf_tables_newtable(struct net
    225. 

  225.  		return PTR_ERR(afi);
    226. 

  226.  
    227. 

  227.  	name = nla[NFTA_TABLE_NAME];
    228. 

  228. -	table = nf_tables_table_lookup(afi, name, genmask);
    229. 

  229. +	table = nf_tables_table_lookup(net, name, afi->family, genmask);
    230. 

  230.  	if (IS_ERR(table)) {
    231. 

  231.  		if (PTR_ERR(table) != -ENOENT)
    232. 

  232.  			return PTR_ERR(table);
    233. 

  233. @@ -773,7 +770,7 @@ static int nf_tables_newtable(struct net
    234. 

  234.  		if (nlh->nlmsg_flags & NLM_F_REPLACE)
    235. 

  235.  			return -EOPNOTSUPP;
    236. 

  236.  
    237. 

  237. -		nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
    238. 

  238. +		nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
    239. 

  239.  		return nf_tables_updtable(&ctx);
    240. 

  240.  	}
    241. 

  241.  
    242. 

  242. @@ -800,14 +797,15 @@ static int nf_tables_newtable(struct net
    243. 

  243.  	INIT_LIST_HEAD(&table->sets);
    244. 

  244.  	INIT_LIST_HEAD(&table->objects);
    245. 

  245.  	INIT_LIST_HEAD(&table->flowtables);
    246. 

  246. +	table->afi = afi;
    247. 

  247.  	table->flags = flags;
    248. 

  248.  
    249. 

  249. -	nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
    250. 

  250. +	nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
    251. 

  251.  	err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
    252. 

  252.  	if (err < 0)
    253. 

  253.  		goto err4;
    254. 

  254.  
    255. 

  255. -	list_add_tail_rcu(&table->list, &afi->tables);
    256. 

  256. +	list_add_tail_rcu(&table->list, &net->nft.tables);
    257. 

  257.  	return 0;
    258. 

  258.  err4:
    259. 

  259.  	kfree(table->name);
    260. 

  260. @@ -881,30 +879,28 @@ out:
    261. 

  261.  
    262. 

  262.  static int nft_flush(struct nft_ctx *ctx, int family)
    263. 

  263.  {
    264. 

  264. -	struct nft_af_info *afi;
    265. 

  265.  	struct nft_table *table, *nt;
    266. 

  266.  	const struct nlattr * const *nla = ctx->nla;
    267. 

  267.  	int err = 0;
    268. 

  268.  
    269. 

  269. -	list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
    270. 

  270. -		if (family != AF_UNSPEC && afi->family != family)
    271. 

  271. +	list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
    272. 

  272. +		if (family != AF_UNSPEC && table->afi->family != family)
    273. 

  273.  			continue;
    274. 

  274.  
    275. 

  275. -		ctx->afi = afi;
    276. 

  276. -		list_for_each_entry_safe(table, nt, &afi->tables, list) {
    277. 

  277. -			if (!nft_is_active_next(ctx->net, table))
    278. 

  278. -				continue;
    279. 

  279. +		ctx->family = table->afi->family;
    280. 

  280.  
    281. 

  281. -			if (nla[NFTA_TABLE_NAME] &&
    282. 

  282. -			    nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
    283. 

  283. -				continue;
    284. 

  284. +		if (!nft_is_active_next(ctx->net, table))
    285. 

  285. +			continue;
    286. 

  286.  
    287. 

  287. -			ctx->table = table;
    288. 

  288. +		if (nla[NFTA_TABLE_NAME] &&
    289. 

  289. +		    nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
    290. 

  290. +			continue;
    291. 

  291.  
    292. 

  292. -			err = nft_flush_table(ctx);
    293. 

  293. -			if (err < 0)
    294. 

  294. -				goto out;
    295. 

  295. -		}
    296. 

  296. +		ctx->table = table;
    297. 

  297. +
    298. 

  298. +		err = nft_flush_table(ctx);
    299. 

  299. +		if (err < 0)
    300. 

  300. +			goto out;
    301. 

  301.  	}
    302. 

  302.  out:
    303. 

  303.  	return err;
    304. 

  304. @@ -922,7 +918,7 @@ static int nf_tables_deltable(struct net
    305. 

  305.  	int family = nfmsg->nfgen_family;
    306. 

  306.  	struct nft_ctx ctx;
    307. 

  307.  
    308. 

  308. -	nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
    309. 

  309. +	nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
    310. 

  310.  	if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
    311. 

  311.  		return nft_flush(&ctx, family);
    312. 

  312.  
    313. 

  313. @@ -930,7 +926,8 @@ static int nf_tables_deltable(struct net
    314. 

  314.  	if (IS_ERR(afi))
    315. 

  315.  		return PTR_ERR(afi);
    316. 

  316.  
    317. 

  317. -	table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
    318. 

  318. +	table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], afi->family,
    319. 

  319. +				       genmask);
    320. 

  320.  	if (IS_ERR(table))
    321. 

  321.  		return PTR_ERR(table);
    322. 

  322.  
    323. 

  323. @@ -938,7 +935,7 @@ static int nf_tables_deltable(struct net
    324. 

  324.  	    table->use > 0)
    325. 

  325.  		return -EBUSY;
    326. 

  326.  
    327. 

  327. -	ctx.afi = afi;
    328. 

  328. +	ctx.family = afi->family;
    329. 

  329.  	ctx.table = table;
    330. 

  330.  
    331. 

  331.  	return nft_flush_table(&ctx);
    332. 

  332. @@ -950,7 +947,7 @@ static void nf_tables_table_destroy(stru
    333. 

  333.  
    334. 

  334.  	kfree(ctx->table->name);
    335. 

  335.  	kfree(ctx->table);
    336. 

  336. -	module_put(ctx->afi->owner);
    337. 

  337. +	module_put(ctx->table->afi->owner);
    338. 

  338.  }
    339. 

  339.  
    340. 

  340.  int nft_register_chain_type(const struct nf_chain_type *ctype)
    341. 

  341. @@ -1151,7 +1148,7 @@ static void nf_tables_chain_notify(const
    342. 

  342.  		goto err;
    343. 

  343.  
    344. 

  344.  	err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
    345. 

  345. -					event, 0, ctx->afi->family, ctx->table,
    346. 

  346. +					event, 0, ctx->family, ctx->table,
    347. 

  347.  					ctx->chain);
    348. 

  348.  	if (err < 0) {
    349. 

  349.  		kfree_skb(skb);
    350. 

  350. @@ -1169,7 +1166,6 @@ static int nf_tables_dump_chains(struct
    351. 

  351.  				 struct netlink_callback *cb)
    352. 

  352.  {
    353. 

  353.  	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
    354. 

  354. -	const struct nft_af_info *afi;
    355. 

  355.  	const struct nft_table *table;
    356. 

  356.  	const struct nft_chain *chain;
    357. 

  357.  	unsigned int idx = 0, s_idx = cb->args[0];
    358. 

  358. @@ -1179,31 +1175,30 @@ static int nf_tables_dump_chains(struct
    359. 

  359.  	rcu_read_lock();
    360. 

  360.  	cb->seq = net->nft.base_seq;
    361. 

  361.  
    362. 

  362. -	list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
    363. 

  363. -		if (family != NFPROTO_UNSPEC && family != afi->family)
    364. 

  364. +	list_for_each_entry_rcu(table, &net->nft.tables, list) {
    365. 

  365. +		if (family != NFPROTO_UNSPEC && family != table->afi->family)
    366. 

  366.  			continue;
    367. 

  367.  
    368. 

  368. -		list_for_each_entry_rcu(table, &afi->tables, list) {
    369. 

  369. -			list_for_each_entry_rcu(chain, &table->chains, list) {
    370. 

  370. -				if (idx < s_idx)
    371. 

  371. -					goto cont;
    372. 

  372. -				if (idx > s_idx)
    373. 

  373. -					memset(&cb->args[1], 0,
    374. 

  374. -					       sizeof(cb->args) - sizeof(cb->args[0]));
    375. 

  375. -				if (!nft_is_active(net, chain))
    376. 

  376. -					continue;
    377. 

  377. -				if (nf_tables_fill_chain_info(skb, net,
    378. 

  378. -							      NETLINK_CB(cb->skb).portid,
    379. 

  379. -							      cb->nlh->nlmsg_seq,
    380. 

  380. -							      NFT_MSG_NEWCHAIN,
    381. 

  381. -							      NLM_F_MULTI,
    382. 

  382. -							      afi->family, table, chain) < 0)
    383. 

  383. -					goto done;
    384. 

  384. +		list_for_each_entry_rcu(chain, &table->chains, list) {
    385. 

  385. +			if (idx < s_idx)
    386. 

  386. +				goto cont;
    387. 

  387. +			if (idx > s_idx)
    388. 

  388. +				memset(&cb->args[1], 0,
    389. 

  389. +				       sizeof(cb->args) - sizeof(cb->args[0]));
    390. 

  390. +			if (!nft_is_active(net, chain))
    391. 

  391. +				continue;
    392. 

  392. +			if (nf_tables_fill_chain_info(skb, net,
    393. 

  393. +						      NETLINK_CB(cb->skb).portid,
    394. 

  394. +						      cb->nlh->nlmsg_seq,
    395. 

  395. +						      NFT_MSG_NEWCHAIN,
    396. 

  396. +						      NLM_F_MULTI,
    397. 

  397. +						      table->afi->family, table,
    398. 

  398. +						      chain) < 0)
    399. 

  399. +				goto done;
    400. 

  400.  
    401. 

  401. -				nl_dump_check_consistent(cb, nlmsg_hdr(skb));
    402. 

  402. +			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
    403. 

  403.  cont:
    404. 

  404. -				idx++;
    405. 

  405. -			}
    406. 

  406. +			idx++;
    407. 

  407.  		}
    408. 

  408.  	}
    409. 

  409.  done:
    410. 

  410. @@ -1237,7 +1232,8 @@ static int nf_tables_getchain(struct net
    411. 

  411.  	if (IS_ERR(afi))
    412. 

  412.  		return PTR_ERR(afi);
    413. 

  413.  
    414. 

  414. -	table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
    415. 

  415. +	table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family,
    416. 

  416. +				       genmask);
    417. 

  417.  	if (IS_ERR(table))
    418. 

  418.  		return PTR_ERR(table);
    419. 

  419.  
    420. 

  420. @@ -1347,8 +1343,8 @@ struct nft_chain_hook {
    421. 

  421.  
    422. 

  422.  static int nft_chain_parse_hook(struct net *net,
    423. 

  423.  				const struct nlattr * const nla[],
    424. 

  424. -				struct nft_af_info *afi,
    425. 

  425. -				struct nft_chain_hook *hook, bool create)
    426. 

  426. +				struct nft_chain_hook *hook, u8 family,
    427. 

  427. +				bool create)
    428. 

  428.  {
    429. 

  429.  	struct nlattr *ha[NFTA_HOOK_MAX + 1];
    430. 

  430.  	const struct nf_chain_type *type;
    431. 

  431. @@ -1367,10 +1363,10 @@ static int nft_chain_parse_hook(struct n
    432. 

  432.  	hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
    433. 

  433.  	hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
    434. 

  434.  
    435. 

  435. -	type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
    436. 

  436. +	type = chain_type[family][NFT_CHAIN_T_DEFAULT];
    437. 

  437.  	if (nla[NFTA_CHAIN_TYPE]) {
    438. 

  438.  		type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
    439. 

  439. -						   afi->family, create);
    440. 

  440. +						   family, create);
    441. 

  441.  		if (IS_ERR(type))
    442. 

  442.  			return PTR_ERR(type);
    443. 

  443.  	}
    444. 

  444. @@ -1382,7 +1378,7 @@ static int nft_chain_parse_hook(struct n
    445. 

  445.  	hook->type = type;
    446. 

  446.  
    447. 

  447.  	hook->dev = NULL;
    448. 

  448. -	if (afi->family == NFPROTO_NETDEV) {
    449. 

  449. +	if (family == NFPROTO_NETDEV) {
    450. 

  450.  		char ifname[IFNAMSIZ];
    451. 

  451.  
    452. 

  452.  		if (!ha[NFTA_HOOK_DEV]) {
    453. 

  453. @@ -1417,7 +1413,6 @@ static int nf_tables_addchain(struct nft
    454. 

  454.  {
    455. 

  455.  	const struct nlattr * const *nla = ctx->nla;
    456. 

  456.  	struct nft_table *table = ctx->table;
    457. 

  457. -	struct nft_af_info *afi = ctx->afi;
    458. 

  458.  	struct nft_base_chain *basechain;
    459. 

  459.  	struct nft_stats __percpu *stats;
    460. 

  460.  	struct net *net = ctx->net;
    461. 

  461. @@ -1431,7 +1426,7 @@ static int nf_tables_addchain(struct nft
    462. 

  462.  		struct nft_chain_hook hook;
    463. 

  463.  		struct nf_hook_ops *ops;
    464. 

  464.  
    465. 

  465. -		err = nft_chain_parse_hook(net, nla, afi, &hook, create);
    466. 

  466. +		err = nft_chain_parse_hook(net, nla, &hook, family, create);
    467. 

  467.  		if (err < 0)
    468. 

  468.  			return err;
    469. 

  469.  
    470. 

  470. @@ -1523,7 +1518,7 @@ static int nf_tables_updchain(struct nft
    471. 

  471.  		if (!nft_is_base_chain(chain))
    472. 

  472.  			return -EBUSY;
    473. 

  473.  
    474. 

  474. -		err = nft_chain_parse_hook(ctx->net, nla, ctx->afi, &hook,
    475. 

  475. +		err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
    476. 

  476.  					   create);
    477. 

  477.  		if (err < 0)
    478. 

  478.  			return err;
    479. 

  479. @@ -1633,7 +1628,8 @@ static int nf_tables_newchain(struct net
    480. 

  480.  	if (IS_ERR(afi))
    481. 

  481.  		return PTR_ERR(afi);
    482. 

  482.  
    483. 

  483. -	table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
    484. 

  484. +	table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family,
    485. 

  485. +				       genmask);
    486. 

  486.  	if (IS_ERR(table))
    487. 

  487.  		return PTR_ERR(table);
    488. 

  488.  
    489. 

  489. @@ -1673,7 +1669,7 @@ static int nf_tables_newchain(struct net
    490. 

  490.  		}
    491. 

  491.  	}
    492. 

  492.  
    493. 

  493. -	nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
    494. 

  494. +	nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla);
    495. 

  495.  
    496. 

  496.  	if (chain != NULL) {
    497. 

  497.  		if (nlh->nlmsg_flags & NLM_F_EXCL)
    498. 

  498. @@ -1707,7 +1703,8 @@ static int nf_tables_delchain(struct net
    499. 

  499.  	if (IS_ERR(afi))
    500. 

  500.  		return PTR_ERR(afi);
    501. 

  501.  
    502. 

  502. -	table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
    503. 

  503. +	table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family,
    504. 

  504. +				       genmask);
    505. 

  505.  	if (IS_ERR(table))
    506. 

  506.  		return PTR_ERR(table);
    507. 

  507.  
    508. 

  508. @@ -1719,7 +1716,7 @@ static int nf_tables_delchain(struct net
    509. 

  509.  	    chain->use > 0)
    510. 

  510.  		return -EBUSY;
    511. 

  511.  
    512. 

  512. -	nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
    513. 

  513. +	nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla);
    514. 

  514.  
    515. 

  515.  	use = chain->use;
    516. 

  516.  	list_for_each_entry(rule, &chain->rules, list) {
    517. 

  517. @@ -1887,7 +1884,7 @@ static int nf_tables_expr_parse(const st
    518. 

  518.  	if (err < 0)
    519. 

  519.  		return err;
    520. 

  520.  
    521. 

  521. -	type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
    522. 

  522. +	type = nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
    523. 

  523.  	if (IS_ERR(type))
    524. 

  524.  		return PTR_ERR(type);
    525. 

  525.  
    526. 

  526. @@ -2115,7 +2112,7 @@ static void nf_tables_rule_notify(const
    527. 

  527.  		goto err;
    528. 

  528.  
    529. 

  529.  	err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
    530. 

  530. -				       event, 0, ctx->afi->family, ctx->table,
    531. 

  531. +				       event, 0, ctx->family, ctx->table,
    532. 

  532.  				       ctx->chain, rule);
    533. 

  533.  	if (err < 0) {
    534. 

  534.  		kfree_skb(skb);
    535. 

  535. @@ -2139,7 +2136,6 @@ static int nf_tables_dump_rules(struct s
    536. 

  536.  {
    537. 

  537.  	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
    538. 

  538.  	const struct nft_rule_dump_ctx *ctx = cb->data;
    539. 

  539. -	const struct nft_af_info *afi;
    540. 

  540.  	const struct nft_table *table;
    541. 

  541.  	const struct nft_chain *chain;
    542. 

  542.  	const struct nft_rule *rule;
    543. 

  543. @@ -2150,39 +2146,37 @@ static int nf_tables_dump_rules(struct s
    544. 

  544.  	rcu_read_lock();
    545. 

  545.  	cb->seq = net->nft.base_seq;
    546. 

  546.  
    547. 

  547. -	list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
    548. 

  548. -		if (family != NFPROTO_UNSPEC && family != afi->family)
    549. 

  549. +	list_for_each_entry_rcu(table, &net->nft.tables, list) {
    550. 

  550. +		if (family != NFPROTO_UNSPEC && family != table->afi->family)
    551. 

  551. +			continue;
    552. 

  552. +
    553. 

  553. +		if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
    554. 

  554.  			continue;
    555. 

  555.  
    556. 

  556. -		list_for_each_entry_rcu(table, &afi->tables, list) {
    557. 

  557. -			if (ctx && ctx->table &&
    558. 

  558. -			    strcmp(ctx->table, table->name) != 0)
    559. 

  559. +		list_for_each_entry_rcu(chain, &table->chains, list) {
    560. 

  560. +			if (ctx && ctx->chain &&
    561. 

  561. +			    strcmp(ctx->chain, chain->name) != 0)
    562. 

  562.  				continue;
    563. 

  563.  
    564. 

  564. -			list_for_each_entry_rcu(chain, &table->chains, list) {
    565. 

  565. -				if (ctx && ctx->chain &&
    566. 

  566. -				    strcmp(ctx->chain, chain->name) != 0)
    567. 

  567. -					continue;
    568. 

  568. -
    569. 

  569. -				list_for_each_entry_rcu(rule, &chain->rules, list) {
    570. 

  570. -					if (!nft_is_active(net, rule))
    571. 

  571. -						goto cont;
    572. 

  572. -					if (idx < s_idx)
    573. 

  573. -						goto cont;
    574. 

  574. -					if (idx > s_idx)
    575. 

  575. -						memset(&cb->args[1], 0,
    576. 

  576. -						       sizeof(cb->args) - sizeof(cb->args[0]));
    577. 

  577. -					if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
    578. 

  578. -								      cb->nlh->nlmsg_seq,
    579. 

  579. -								      NFT_MSG_NEWRULE,
    580. 

  580. -								      NLM_F_MULTI | NLM_F_APPEND,
    581. 

  581. -								      afi->family, table, chain, rule) < 0)
    582. 

  582. -						goto done;
    583. 

  583. +			list_for_each_entry_rcu(rule, &chain->rules, list) {
    584. 

  584. +				if (!nft_is_active(net, rule))
    585. 

  585. +					goto cont;
    586. 

  586. +				if (idx < s_idx)
    587. 

  587. +					goto cont;
    588. 

  588. +				if (idx > s_idx)
    589. 

  589. +					memset(&cb->args[1], 0,
    590. 

  590. +					       sizeof(cb->args) - sizeof(cb->args[0]));
    591. 

  591. +				if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
    592. 

  592. +							      cb->nlh->nlmsg_seq,
    593. 

  593. +							      NFT_MSG_NEWRULE,
    594. 

  594. +							      NLM_F_MULTI | NLM_F_APPEND,
    595. 

  595. +							      table->afi->family,
    596. 

  596. +							      table, chain, rule) < 0)
    597. 

  597. +					goto done;
    598. 

  598.  
    599. 

  599. -					nl_dump_check_consistent(cb, nlmsg_hdr(skb));
    600. 

  600. +				nl_dump_check_consistent(cb, nlmsg_hdr(skb));
    601. 

  601.  cont:
    602. 

  602. -					idx++;
    603. 

  603. -				}
    604. 

  604. +				idx++;
    605. 

  605.  			}
    606. 

  606.  		}
    607. 

  607.  	}
    608. 

  608. @@ -2260,7 +2254,8 @@ static int nf_tables_getrule(struct net
    609. 

  609.  	if (IS_ERR(afi))
    610. 

  610.  		return PTR_ERR(afi);
    611. 

  611.  
    612. 

  612. -	table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
    613. 

  613. +	table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family,
    614. 

  614. +				       genmask);
    615. 

  615.  	if (IS_ERR(table))
    616. 

  616.  		return PTR_ERR(table);
    617. 

  617.  
    618. 

  618. @@ -2345,7 +2340,8 @@ static int nf_tables_newrule(struct net
    619. 

  619.  	if (IS_ERR(afi))
    620. 

  620.  		return PTR_ERR(afi);
    621. 

  621.  
    622. 

  622. -	table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
    623. 

  623. +	table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family,
    624. 

  624. +				       genmask);
    625. 

  625.  	if (IS_ERR(table))
    626. 

  626.  		return PTR_ERR(table);
    627. 

  627.  
    628. 

  628. @@ -2384,7 +2380,7 @@ static int nf_tables_newrule(struct net
    629. 

  629.  			return PTR_ERR(old_rule);
    630. 

  630.  	}
    631. 

  631.  
    632. 

  632. -	nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
    633. 

  633. +	nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla);
    634. 

  634.  
    635. 

  635.  	n = 0;
    636. 

  636.  	size = 0;
    637. 

  637. @@ -2517,7 +2513,8 @@ static int nf_tables_delrule(struct net
    638. 

  638.  	if (IS_ERR(afi))
    639. 

  639.  		return PTR_ERR(afi);
    640. 

  640.  
    641. 

  641. -	table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
    642. 

  642. +	table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family,
    643. 

  643. +				       genmask);
    644. 

  644.  	if (IS_ERR(table))
    645. 

  645.  		return PTR_ERR(table);
    646. 

  646.  
    647. 

  647. @@ -2528,7 +2525,7 @@ static int nf_tables_delrule(struct net
    648. 

  648.  			return PTR_ERR(chain);
    649. 

  649.  	}
    650. 

  650.  
    651. 

  651. -	nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
    652. 

  652. +	nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla);
    653. 

  653.  
    654. 

  654.  	if (chain) {
    655. 

  655.  		if (nla[NFTA_RULE_HANDLE]) {
    656. 

  656. @@ -2726,13 +2723,13 @@ static int nft_ctx_init_from_setattr(str
    657. 

  657.  		if (afi == NULL)
    658. 

  658.  			return -EAFNOSUPPORT;
    659. 

  659.  
    660. 

  660. -		table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE],
    661. 

  661. -					       genmask);
    662. 

  662. +		table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE],
    663. 

  663. +					       afi->family, genmask);
    664. 

  664.  		if (IS_ERR(table))
    665. 

  665.  			return PTR_ERR(table);
    666. 

  666.  	}
    667. 

  667.  
    668. 

  668. -	nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
    669. 

  669. +	nft_ctx_init(ctx, net, skb, nlh, afi->family, table, NULL, nla);
    670. 

  670.  	return 0;
    671. 

  671.  }
    672. 

  672.  
    673. 

  673. @@ -2860,7 +2857,7 @@ static int nf_tables_fill_set(struct sk_
    674. 

  674.  		goto nla_put_failure;
    675. 

  675.  
    676. 

  676.  	nfmsg = nlmsg_data(nlh);
    677. 

  677. -	nfmsg->nfgen_family	= ctx->afi->family;
    678. 

  678. +	nfmsg->nfgen_family	= ctx->family;
    679. 

  679.  	nfmsg->version		= NFNETLINK_V0;
    680. 

  680.  	nfmsg->res_id		= htons(ctx->net->nft.base_seq & 0xffff);
    681. 

  681.  
    682. 

  682. @@ -2953,10 +2950,8 @@ static int nf_tables_dump_sets(struct sk
    683. 

  683.  {
    684. 

  684.  	const struct nft_set *set;
    685. 

  685.  	unsigned int idx, s_idx = cb->args[0];
    686. 

  686. -	struct nft_af_info *afi;
    687. 

  687.  	struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
    688. 

  688.  	struct net *net = sock_net(skb->sk);
    689. 

  689. -	int cur_family = cb->args[3];
    690. 

  690.  	struct nft_ctx *ctx = cb->data, ctx_set;
    691. 

  691.  
    692. 

  692.  	if (cb->args[1])
    693. 

  693. @@ -2965,51 +2960,44 @@ static int nf_tables_dump_sets(struct sk
    694. 

  694.  	rcu_read_lock();
    695. 

  695.  	cb->seq = net->nft.base_seq;
    696. 

  696.  
    697. 

  697. -	list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
    698. 

  698. -		if (ctx->afi && ctx->afi != afi)
    699. 

  699. +	list_for_each_entry_rcu(table, &net->nft.tables, list) {
    700. 

  700. +		if (ctx->family != NFPROTO_UNSPEC &&
    701. 

  701. +		    ctx->family != table->afi->family)
    702. 

  702.  			continue;
    703. 

  703.  
    704. 

  704. -		if (cur_family) {
    705. 

  705. -			if (afi->family != cur_family)
    706. 

  706. -				continue;
    707. 

  707. +		if (ctx->table && ctx->table != table)
    708. 

  708. +			continue;
    709. 

  709.  
    710. 

  710. -			cur_family = 0;
    711. 

  711. -		}
    712. 

  712. -		list_for_each_entry_rcu(table, &afi->tables, list) {
    713. 

  713. -			if (ctx->table && ctx->table != table)
    714. 

  714. +		if (cur_table) {
    715. 

  715. +			if (cur_table != table)
    716. 

  716.  				continue;
    717. 

  717.  
    718. 

  718. -			if (cur_table) {
    719. 

  719. -				if (cur_table != table)
    720. 

  720. -					continue;
    721. 

  721. +			cur_table = NULL;
    722. 

  722. +		}
    723. 

  723. +		idx = 0;
    724. 

  724. +		list_for_each_entry_rcu(set, &table->sets, list) {
    725. 

  725. +			if (idx < s_idx)
    726. 

  726. +				goto cont;
    727. 

  727. +			if (!nft_is_active(net, set))
    728. 

  728. +				goto cont;
    729. 

  729.  
    730. 

  730. -				cur_table = NULL;
    731. 

  731. +			ctx_set = *ctx;
    732. 

  732. +			ctx_set.table = table;
    733. 

  733. +			ctx_set.family = table->afi->family;
    734. 

  734. +
    735. 

  735. +			if (nf_tables_fill_set(skb, &ctx_set, set,
    736. 

  736. +					       NFT_MSG_NEWSET,
    737. 

  737. +					       NLM_F_MULTI) < 0) {
    738. 

  738. +				cb->args[0] = idx;
    739. 

  739. +				cb->args[2] = (unsigned long) table;
    740. 

  740. +				goto done;
    741. 

  741.  			}
    742. 

  742. -			idx = 0;
    743. 

  743. -			list_for_each_entry_rcu(set, &table->sets, list) {
    744. 

  744. -				if (idx < s_idx)
    745. 

  745. -					goto cont;
    746. 

  746. -				if (!nft_is_active(net, set))
    747. 

  747. -					goto cont;
    748. 

  748. -
    749. 

  749. -				ctx_set = *ctx;
    750. 

  750. -				ctx_set.table = table;
    751. 

  751. -				ctx_set.afi = afi;
    752. 

  752. -				if (nf_tables_fill_set(skb, &ctx_set, set,
    753. 

  753. -						       NFT_MSG_NEWSET,
    754. 

  754. -						       NLM_F_MULTI) < 0) {
    755. 

  755. -					cb->args[0] = idx;
    756. 

  756. -					cb->args[2] = (unsigned long) table;
    757. 

  757. -					cb->args[3] = afi->family;
    758. 

  758. -					goto done;
    759. 

  759. -				}
    760. 

  760. -				nl_dump_check_consistent(cb, nlmsg_hdr(skb));
    761. 

  761. +			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
    762. 

  762.  cont:
    763. 

  763. -				idx++;
    764. 

  764. -			}
    765. 

  765. -			if (s_idx)
    766. 

  766. -				s_idx = 0;
    767. 

  767. +			idx++;
    768. 

  768.  		}
    769. 

  769. +		if (s_idx)
    770. 

  770. +			s_idx = 0;
    771. 

  771.  	}
    772. 

  772.  	cb->args[1] = 1;
    773. 

  773.  done:
    774. 

  774. @@ -3222,11 +3210,12 @@ static int nf_tables_newset(struct net *
    775. 

  775.  	if (IS_ERR(afi))
    776. 

  776.  		return PTR_ERR(afi);
    777. 

  777.  
    778. 

  778. -	table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask);
    779. 

  779. +	table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE], afi->family,
    780. 

  780. +				       genmask);
    781. 

  781.  	if (IS_ERR(table))
    782. 

  782.  		return PTR_ERR(table);
    783. 

  783.  
    784. 

  784. -	nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
    785. 

  785. +	nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
    786. 

  786.  
    787. 

  787.  	set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
    788. 

  788.  	if (IS_ERR(set)) {
    789. 

  789. @@ -3495,12 +3484,12 @@ static int nft_ctx_init_from_elemattr(st
    790. 

  790.  	if (IS_ERR(afi))
    791. 

  791.  		return PTR_ERR(afi);
    792. 

  792.  
    793. 

  793. -	table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE],
    794. 

  794. -				       genmask);
    795. 

  795. +	table = nf_tables_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE],
    796. 

  796. +				       afi->family, genmask);
    797. 

  797.  	if (IS_ERR(table))
    798. 

  798.  		return PTR_ERR(table);
    799. 

  799.  
    800. 

  800. -	nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
    801. 

  801. +	nft_ctx_init(ctx, net, skb, nlh, afi->family, table, NULL, nla);
    802. 

  802.  	return 0;
    803. 

  803.  }
    804. 

  804.  
    805. 

  805. @@ -3605,7 +3594,6 @@ static int nf_tables_dump_set(struct sk_
    806. 

  806.  {
    807. 

  807.  	struct nft_set_dump_ctx *dump_ctx = cb->data;
    808. 

  808.  	struct net *net = sock_net(skb->sk);
    809. 

  809. -	struct nft_af_info *afi;
    810. 

  810.  	struct nft_table *table;
    811. 

  811.  	struct nft_set *set;
    812. 

  812.  	struct nft_set_dump_args args;
    813. 

  813. @@ -3617,21 +3605,19 @@ static int nf_tables_dump_set(struct sk_
    814. 

  814.  	int event;
    815. 

  815.  
    816. 

  816.  	rcu_read_lock();
    817. 

  817. -	list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
    818. 

  818. -		if (afi != dump_ctx->ctx.afi)
    819. 

  819. +	list_for_each_entry_rcu(table, &net->nft.tables, list) {
    820. 

  820. +		if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
    821. 

  821. +		    dump_ctx->ctx.family != table->afi->family)
    822. 

  822.  			continue;
    823. 

  823.  
    824. 

  824. -		list_for_each_entry_rcu(table, &afi->tables, list) {
    825. 

  825. -			if (table != dump_ctx->ctx.table)
    826. 

  826. -				continue;
    827. 

  827. +		if (table != dump_ctx->ctx.table)
    828. 

  828. +			continue;
    829. 

  829.  
    830. 

  830. -			list_for_each_entry_rcu(set, &table->sets, list) {
    831. 

  831. -				if (set == dump_ctx->set) {
    832. 

  832. -					set_found = true;
    833. 

  833. -					break;
    834. 

  834. -				}
    835. 

  835. +		list_for_each_entry_rcu(set, &table->sets, list) {
    836. 

  836. +			if (set == dump_ctx->set) {
    837. 

  837. +				set_found = true;
    838. 

  838. +				break;
    839. 

  839.  			}
    840. 

  840. -			break;
    841. 

  841.  		}
    842. 

  842.  		break;
    843. 

  843.  	}
    844. 

  844. @@ -3651,7 +3637,7 @@ static int nf_tables_dump_set(struct sk_
    845. 

  845.  		goto nla_put_failure;
    846. 

  846.  
    847. 

  847.  	nfmsg = nlmsg_data(nlh);
    848. 

  848. -	nfmsg->nfgen_family = afi->family;
    849. 

  849. +	nfmsg->nfgen_family = table->afi->family;
    850. 

  850.  	nfmsg->version      = NFNETLINK_V0;
    851. 

  851.  	nfmsg->res_id	    = htons(net->nft.base_seq & 0xffff);
    852. 

  852.  
    853. 

  853. @@ -3753,7 +3739,7 @@ static int nf_tables_fill_setelem_info(s
    854. 

  854.  		goto nla_put_failure;
    855. 

  855.  
    856. 

  856.  	nfmsg = nlmsg_data(nlh);
    857. 

  857. -	nfmsg->nfgen_family	= ctx->afi->family;
    858. 

  858. +	nfmsg->nfgen_family	= ctx->family;
    859. 

  859.  	nfmsg->version		= NFNETLINK_V0;
    860. 

  860.  	nfmsg->res_id		= htons(ctx->net->nft.base_seq & 0xffff);
    861. 

  861.  
    862. 

  862. @@ -4003,7 +3989,7 @@ static int nft_add_set_elem(struct nft_c
    863. 

  863.  		list_for_each_entry(binding, &set->bindings, list) {
    864. 

  864.  			struct nft_ctx bind_ctx = {
    865. 

  865.  				.net	= ctx->net,
    866. 

  866. -				.afi	= ctx->afi,
    867. 

  867. +				.family	= ctx->family,
    868. 

  868.  				.table	= ctx->table,
    869. 

  869.  				.chain	= (struct nft_chain *)binding->chain,
    870. 

  870.  			};
    871. 

  871. @@ -4555,7 +4541,8 @@ static int nf_tables_newobj(struct net *
    872. 

  872.  	if (IS_ERR(afi))
    873. 

  873.  		return PTR_ERR(afi);
    874. 

  874.  
    875. 

  875. -	table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
    876. 

  876. +	table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family,
    877. 

  877. +				       genmask);
    878. 

  878.  	if (IS_ERR(table))
    879. 

  879.  		return PTR_ERR(table);
    880. 

  880.  
    881. 

  881. @@ -4573,7 +4560,7 @@ static int nf_tables_newobj(struct net *
    882. 

  882.  		return 0;
    883. 

  883.  	}
    884. 

  884.  
    885. 

  885. -	nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
    886. 

  886. +	nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
    887. 

  887.  
    888. 

  888.  	type = nft_obj_type_get(objtype);
    889. 

  889.  	if (IS_ERR(type))
    890. 

  890. @@ -4650,7 +4637,6 @@ struct nft_obj_filter {
    891. 

  891.  static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
    892. 

  892.  {
    893. 

  893.  	const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
    894. 

  894. -	const struct nft_af_info *afi;
    895. 

  895.  	const struct nft_table *table;
    896. 

  896.  	unsigned int idx = 0, s_idx = cb->args[0];
    897. 

  897.  	struct nft_obj_filter *filter = cb->data;
    898. 

  898. @@ -4665,38 +4651,37 @@ static int nf_tables_dump_obj(struct sk_
    899. 

  899.  	rcu_read_lock();
    900. 

  900.  	cb->seq = net->nft.base_seq;
    901. 

  901.  
    902. 

  902. -	list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
    903. 

  903. -		if (family != NFPROTO_UNSPEC && family != afi->family)
    904. 

  904. +	list_for_each_entry_rcu(table, &net->nft.tables, list) {
    905. 

  905. +		if (family != NFPROTO_UNSPEC && family != table->afi->family)
    906. 

  906.  			continue;
    907. 

  907.  
    908. 

  908. -		list_for_each_entry_rcu(table, &afi->tables, list) {
    909. 

  909. -			list_for_each_entry_rcu(obj, &table->objects, list) {
    910. 

  910. -				if (!nft_is_active(net, obj))
    911. 

  911. -					goto cont;
    912. 

  912. -				if (idx < s_idx)
    913. 

  913. -					goto cont;
    914. 

  914. -				if (idx > s_idx)
    915. 

  915. -					memset(&cb->args[1], 0,
    916. 

  916. -					       sizeof(cb->args) - sizeof(cb->args[0]));
    917. 

  917. -				if (filter && filter->table &&
    918. 

  918. -				    strcmp(filter->table, table->name))
    919. 

  919. -					goto cont;
    920. 

  920. -				if (filter &&
    921. 

  921. -				    filter->type != NFT_OBJECT_UNSPEC &&
    922. 

  922. -				    obj->ops->type->type != filter->type)
    923. 

  923. -					goto cont;
    924. 

  924. +		list_for_each_entry_rcu(obj, &table->objects, list) {
    925. 

  925. +			if (!nft_is_active(net, obj))
    926. 

  926. +				goto cont;
    927. 

  927. +			if (idx < s_idx)
    928. 

  928. +				goto cont;
    929. 

  929. +			if (idx > s_idx)
    930. 

  930. +				memset(&cb->args[1], 0,
    931. 

  931. +				       sizeof(cb->args) - sizeof(cb->args[0]));
    932. 

  932. +			if (filter && filter->table &&
    933. 

  933. +			    strcmp(filter->table, table->name))
    934. 

  934. +				goto cont;
    935. 

  935. +			if (filter &&
    936. 

  936. +			    filter->type != NFT_OBJECT_UNSPEC &&
    937. 

  937. +			    obj->ops->type->type != filter->type)
    938. 

  938. +				goto cont;
    939. 

  939.  
    940. 

  940. -				if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
    941. 

  941. -							    cb->nlh->nlmsg_seq,
    942. 

  942. -							    NFT_MSG_NEWOBJ,
    943. 

  943. -							    NLM_F_MULTI | NLM_F_APPEND,
    944. 

  944. -							    afi->family, table, obj, reset) < 0)
    945. 

  945. -					goto done;
    946. 

  946. +			if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
    947. 

  947. +						    cb->nlh->nlmsg_seq,
    948. 

  948. +						    NFT_MSG_NEWOBJ,
    949. 

  949. +						    NLM_F_MULTI | NLM_F_APPEND,
    950. 

  950. +						    table->afi->family, table,
    951. 

  951. +						    obj, reset) < 0)
    952. 

  952. +				goto done;
    953. 

  953.  
    954. 

  954. -				nl_dump_check_consistent(cb, nlmsg_hdr(skb));
    955. 

  955. +			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
    956. 

  956.  cont:
    957. 

  957. -				idx++;
    958. 

  958. -			}
    959. 

  959. +			idx++;
    960. 

  960.  		}
    961. 

  961.  	}
    962. 

  962.  done:
    963. 

  963. @@ -4783,7 +4768,8 @@ static int nf_tables_getobj(struct net *
    964. 

  964.  	if (IS_ERR(afi))
    965. 

  965.  		return PTR_ERR(afi);
    966. 

  966.  
    967. 

  967. -	table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
    968. 

  968. +	table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family,
    969. 

  969. +				       genmask);
    970. 

  970.  	if (IS_ERR(table))
    971. 

  971.  		return PTR_ERR(table);
    972. 

  972.  
    973. 

  973. @@ -4843,7 +4829,8 @@ static int nf_tables_delobj(struct net *
    974. 

  974.  	if (IS_ERR(afi))
    975. 

  975.  		return PTR_ERR(afi);
    976. 

  976.  
    977. 

  977. -	table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
    978. 

  978. +	table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family,
    979. 

  979. +				       genmask);
    980. 

  980.  	if (IS_ERR(table))
    981. 

  981.  		return PTR_ERR(table);
    982. 

  982.  
    983. 

  983. @@ -4854,7 +4841,7 @@ static int nf_tables_delobj(struct net *
    984. 

  984.  	if (obj->use > 0)
    985. 

  985.  		return -EBUSY;
    986. 

  986.  
    987. 

  987. -	nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
    988. 

  988. +	nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
    989. 

  989.  
    990. 

  990.  	return nft_delobj(&ctx, obj);
    991. 

  991.  }
    992. 

  992. @@ -4892,7 +4879,7 @@ static void nf_tables_obj_notify(const s
    993. 

  993.  				 struct nft_object *obj, int event)
    994. 

  994.  {
    995. 

  995.  	nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
    996. 

  996. -		       ctx->afi->family, ctx->report, GFP_KERNEL);
    997. 

  997. +		       ctx->family, ctx->report, GFP_KERNEL);
    998. 

  998.  }
    999. 

  999.  
    1000. 

  1000.  /*
    1001. 

  1001. @@ -5082,7 +5069,7 @@ void nft_flow_table_iterate(struct net *
    1002. 

  1002.  
    1003. 

  1003.  	rcu_read_lock();
    1004. 

  1004.  	list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
    1005. 

  1005. -		list_for_each_entry_rcu(table, &afi->tables, list) {
    1006. 

  1006. +		list_for_each_entry_rcu(table, &net->nft.tables, list) {
    1007. 

  1007.  			list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
    1008. 

  1008.  				iter(&flowtable->data, data);
    1009. 

  1009.  			}
    1010. 

  1010. @@ -5130,7 +5117,8 @@ static int nf_tables_newflowtable(struct
    1011. 

  1011.  	if (IS_ERR(afi))
    1012. 

  1012.  		return PTR_ERR(afi);
    1013. 

  1013.  
    1014. 

  1014. -	table = nf_tables_table_lookup(afi, nla[NFTA_FLOWTABLE_TABLE], genmask);
    1015. 

  1015. +	table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
    1016. 

  1016. +				       afi->family, genmask);
    1017. 

  1017.  	if (IS_ERR(table))
    1018. 

  1018.  		return PTR_ERR(table);
    1019. 

  1019.  
    1020. 

  1020. @@ -5147,7 +5135,7 @@ static int nf_tables_newflowtable(struct
    1021. 

  1021.  		return 0;
    1022. 

  1022.  	}
    1023. 

  1023.  
    1024. 

  1024. -	nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
    1025. 

  1025. +	nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
    1026. 

  1026.  
    1027. 

  1027.  	flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
    1028. 

  1028.  	if (!flowtable)
    1029. 

  1029. @@ -5228,7 +5216,8 @@ static int nf_tables_delflowtable(struct
    1030. 

  1030.  	if (IS_ERR(afi))
    1031. 

  1031.  		return PTR_ERR(afi);
    1032. 

  1032.  
    1033. 

  1033. -	table = nf_tables_table_lookup(afi, nla[NFTA_FLOWTABLE_TABLE], genmask);
    1034. 

  1034. +	table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
    1035. 

  1035. +				       afi->family, genmask);
    1036. 

  1036.  	if (IS_ERR(table))
    1037. 

  1037.  		return PTR_ERR(table);
    1038. 

  1038.  
    1039. 

  1039. @@ -5239,7 +5228,7 @@ static int nf_tables_delflowtable(struct
    1040. 

  1040.  	if (flowtable->use > 0)
    1041. 

  1041.  		return -EBUSY;
    1042. 

  1042.  
    1043. 

  1043. -	nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
    1044. 

  1044. +	nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla);
    1045. 

  1045.  
    1046. 

  1046.  	return nft_delflowtable(&ctx, flowtable);
    1047. 

  1047.  }
    1048. 

  1048. @@ -5308,40 +5297,37 @@ static int nf_tables_dump_flowtable(stru
    1049. 

  1049.  	struct net *net = sock_net(skb->sk);
    1050. 

  1050.  	int family = nfmsg->nfgen_family;
    1051. 

  1051.  	struct nft_flowtable *flowtable;
    1052. 

  1052. -	const struct nft_af_info *afi;
    1053. 

  1053.  	const struct nft_table *table;
    1054. 

  1054.  
    1055. 

  1055.  	rcu_read_lock();
    1056. 

  1056.  	cb->seq = net->nft.base_seq;
    1057. 

  1057.  
    1058. 

  1058. -	list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
    1059. 

  1059. -		if (family != NFPROTO_UNSPEC && family != afi->family)
    1060. 

  1060. +	list_for_each_entry_rcu(table, &net->nft.tables, list) {
    1061. 

  1061. +		if (family != NFPROTO_UNSPEC && family != table->afi->family)
    1062. 

  1062.  			continue;
    1063. 

  1063.  
    1064. 

  1064. -		list_for_each_entry_rcu(table, &afi->tables, list) {
    1065. 

  1065. -			list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
    1066. 

  1066. -				if (!nft_is_active(net, flowtable))
    1067. 

  1067. -					goto cont;
    1068. 

  1068. -				if (idx < s_idx)
    1069. 

  1069. -					goto cont;
    1070. 

  1070. -				if (idx > s_idx)
    1071. 

  1071. -					memset(&cb->args[1], 0,
    1072. 

  1072. -					       sizeof(cb->args) - sizeof(cb->args[0]));
    1073. 

  1073. -				if (filter && filter->table[0] &&
    1074. 

  1074. -				    strcmp(filter->table, table->name))
    1075. 

  1075. -					goto cont;
    1076. 

  1076. +		list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
    1077. 

  1077. +			if (!nft_is_active(net, flowtable))
    1078. 

  1078. +				goto cont;
    1079. 

  1079. +			if (idx < s_idx)
    1080. 

  1080. +				goto cont;
    1081. 

  1081. +			if (idx > s_idx)
    1082. 

  1082. +				memset(&cb->args[1], 0,
    1083. 

  1083. +				       sizeof(cb->args) - sizeof(cb->args[0]));
    1084. 

  1084. +			if (filter && filter->table &&
    1085. 

  1085. +			    strcmp(filter->table, table->name))
    1086. 

  1086. +				goto cont;
    1087. 

  1087.  
    1088. 

  1088. -				if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
    1089. 

  1089. -								  cb->nlh->nlmsg_seq,
    1090. 

  1090. -								  NFT_MSG_NEWFLOWTABLE,
    1091. 

  1091. -								  NLM_F_MULTI | NLM_F_APPEND,
    1092. 

  1092. -								  afi->family, flowtable) < 0)
    1093. 

  1093. -					goto done;
    1094. 

  1094. +			if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
    1095. 

  1095. +							  cb->nlh->nlmsg_seq,
    1096. 

  1096. +							  NFT_MSG_NEWFLOWTABLE,
    1097. 

  1097. +							  NLM_F_MULTI | NLM_F_APPEND,
    1098. 

  1098. +							  table->afi->family, flowtable) < 0)
    1099. 

  1099. +				goto done;
    1100. 

  1100.  
    1101. 

  1101. -				nl_dump_check_consistent(cb, nlmsg_hdr(skb));
    1102. 

  1102. +			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
    1103. 

  1103.  cont:
    1104. 

  1104. -				idx++;
    1105. 

  1105. -			}
    1106. 

  1106. +			idx++;
    1107. 

  1107.  		}
    1108. 

  1108.  	}
    1109. 

  1109.  done:
    1110. 

  1110. @@ -5426,7 +5412,8 @@ static int nf_tables_getflowtable(struct
    1111. 

  1111.  	if (IS_ERR(afi))
    1112. 

  1112.  		return PTR_ERR(afi);
    1113. 

  1113.  
    1114. 

  1114. -	table = nf_tables_table_lookup(afi, nla[NFTA_FLOWTABLE_TABLE], genmask);
    1115. 

  1115. +	table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
    1116. 

  1116. +				       afi->family, genmask);
    1117. 

  1117.  	if (IS_ERR(table))
    1118. 

  1118.  		return PTR_ERR(table);
    1119. 

  1119.  
    1120. 

  1120. @@ -5469,7 +5456,7 @@ static void nf_tables_flowtable_notify(s
    1121. 

  1121.  
    1122. 

  1122.  	err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
    1123. 

  1123.  					    ctx->seq, event, 0,
    1124. 

  1124. -					    ctx->afi->family, flowtable);
    1125. 

  1125. +					    ctx->family, flowtable);
    1126. 

  1126.  	if (err < 0) {
    1127. 

  1127.  		kfree_skb(skb);
    1128. 

  1128.  		goto err;
    1129. 

  1129. @@ -5547,17 +5534,14 @@ static int nf_tables_flowtable_event(str
    1130. 

  1130.  	struct net_device *dev = netdev_notifier_info_to_dev(ptr);
    1131. 

  1131.  	struct nft_flowtable *flowtable;
    1132. 

  1132.  	struct nft_table *table;
    1133. 

  1133. -	struct nft_af_info *afi;
    1134. 

  1134.  
    1135. 

  1135.  	if (event != NETDEV_UNREGISTER)
    1136. 

  1136.  		return 0;
    1137. 

  1137.  
    1138. 

  1138.  	nfnl_lock(NFNL_SUBSYS_NFTABLES);
    1139. 

  1139. -	list_for_each_entry(afi, &dev_net(dev)->nft.af_info, list) {
    1140. 

  1140. -		list_for_each_entry(table, &afi->tables, list) {
    1141. 

  1141. -			list_for_each_entry(flowtable, &table->flowtables, list) {
    1142. 

  1142. -				nft_flowtable_event(event, dev, flowtable);
    1143. 

  1143. -			}
    1144. 

  1144. +	list_for_each_entry(table, &dev_net(dev)->nft.tables, list) {
    1145. 

  1145. +		list_for_each_entry(flowtable, &table->flowtables, list) {
    1146. 

  1146. +			nft_flowtable_event(event, dev, flowtable);
    1147. 

  1147.  		}
    1148. 

  1148.  	}
    1149. 

  1149.  	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
    1150. 

  1150. @@ -6583,6 +6567,7 @@ EXPORT_SYMBOL_GPL(nft_data_dump);
    1151. 

  1151.  static int __net_init nf_tables_init_net(struct net *net)
    1152. 

  1152.  {
    1153. 

  1153.  	INIT_LIST_HEAD(&net->nft.af_info);
    1154. 

  1154. +	INIT_LIST_HEAD(&net->nft.tables);
    1155. 

  1155.  	INIT_LIST_HEAD(&net->nft.commit_list);
    1156. 

  1156.  	net->nft.base_seq = 1;
    1157. 

  1157.  	return 0;
    1158. 

  1158. @@ -6619,10 +6604,10 @@ static void __nft_release_afinfo(struct
    1159. 

  1159.  	struct nft_set *set, *ns;
    1160. 

  1160.  	struct nft_ctx ctx = {
    1161. 

  1161.  		.net	= net,
    1162. 

  1162. -		.afi	= afi,
    1163. 

  1163. +		.family	= afi->family,
    1164. 

  1164.  	};
    1165. 

  1165.  
    1166. 

  1166. -	list_for_each_entry_safe(table, nt, &afi->tables, list) {
    1167. 

  1167. +	list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
    1168. 

  1168.  		list_for_each_entry(chain, &table->chains, list)
    1169. 

  1169.  			nf_tables_unregister_hook(net, table, chain);
    1170. 

  1170.  		list_for_each_entry(flowtable, &table->flowtables, list)
    1171. 

  1171. --- a/net/netfilter/nf_tables_netdev.c
    1172. 

  1172. +++ b/net/netfilter/nf_tables_netdev.c
    1173. 

  1173. @@ -107,7 +107,6 @@ static int nf_tables_netdev_event(struct
    1174. 

  1174.  				  unsigned long event, void *ptr)
    1175. 

  1175.  {
    1176. 

  1176.  	struct net_device *dev = netdev_notifier_info_to_dev(ptr);
    1177. 

  1177. -	struct nft_af_info *afi;
    1178. 

  1178.  	struct nft_table *table;
    1179. 

  1179.  	struct nft_chain *chain, *nr;
    1180. 

  1180.  	struct nft_ctx ctx = {
    1181. 

  1181. @@ -119,20 +118,18 @@ static int nf_tables_netdev_event(struct
    1182. 

  1182.  		return NOTIFY_DONE;
    1183. 

  1183.  
    1184. 

  1184.  	nfnl_lock(NFNL_SUBSYS_NFTABLES);
    1185. 

  1185. -	list_for_each_entry(afi, &dev_net(dev)->nft.af_info, list) {
    1186. 

  1186. -		ctx.afi = afi;
    1187. 

  1187. -		if (afi->family != NFPROTO_NETDEV)
    1188. 

  1188. +	list_for_each_entry(table, &ctx.net->nft.tables, list) {
    1189. 

  1189. +		if (table->afi->family != NFPROTO_NETDEV)
    1190. 

  1190.  			continue;
    1191. 

  1191.  
    1192. 

  1192. -		list_for_each_entry(table, &afi->tables, list) {
    1193. 

  1193. -			ctx.table = table;
    1194. 

  1194. -			list_for_each_entry_safe(chain, nr, &table->chains, list) {
    1195. 

  1195. -				if (!nft_is_base_chain(chain))
    1196. 

  1196. -					continue;
    1197. 

  1197. +		ctx.family = table->afi->family;
    1198. 

  1198. +		ctx.table = table;
    1199. 

  1199. +		list_for_each_entry_safe(chain, nr, &table->chains, list) {
    1200. 

  1200. +			if (!nft_is_base_chain(chain))
    1201. 

  1201. +				continue;
    1202. 

  1202.  
    1203. 

  1203. -				ctx.chain = chain;
    1204. 

  1204. -				nft_netdev_event(event, dev, &ctx);
    1205. 

  1205. -			}
    1206. 

  1206. +			ctx.chain = chain;
    1207. 

  1207. +			nft_netdev_event(event, dev, &ctx);
    1208. 

  1208.  		}
    1209. 

  1209.  	}
    1210. 

  1210.  	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
    1211. 

  1211. --- a/net/netfilter/nft_compat.c
    1212. 

  1212. +++ b/net/netfilter/nft_compat.c
    1213. 

  1213. @@ -161,7 +161,7 @@ nft_target_set_tgchk_param(struct xt_tgc
    1214. 

  1214.  {
    1215. 

  1215.  	par->net	= ctx->net;
    1216. 

  1216.  	par->table	= ctx->table->name;
    1217. 

  1217. -	switch (ctx->afi->family) {
    1218. 

  1218. +	switch (ctx->family) {
    1219. 

  1219.  	case AF_INET:
    1220. 

  1220.  		entry->e4.ip.proto = proto;
    1221. 

  1221.  		entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
    1222. 

  1222. @@ -192,7 +192,7 @@ nft_target_set_tgchk_param(struct xt_tgc
    1223. 

  1223.  	} else {
    1224. 

  1224.  		par->hook_mask = 0;
    1225. 

  1225.  	}
    1226. 

  1226. -	par->family	= ctx->afi->family;
    1227. 

  1227. +	par->family	= ctx->family;
    1228. 

  1228.  	par->nft_compat = true;
    1229. 

  1229.  }
    1230. 

  1230.  
    1231. 

  1231. @@ -283,7 +283,7 @@ nft_target_destroy(const struct nft_ctx
    1232. 

  1232.  	par.net = ctx->net;
    1233. 

  1233.  	par.target = target;
    1234. 

  1234.  	par.targinfo = info;
    1235. 

  1235. -	par.family = ctx->afi->family;
    1236. 

  1236. +	par.family = ctx->family;
    1237. 

  1237.  	if (par.target->destroy != NULL)
    1238. 

  1238.  		par.target->destroy(&par);
    1239. 

  1239.  
    1240. 

  1240. @@ -409,7 +409,7 @@ nft_match_set_mtchk_param(struct xt_mtch
    1241. 

  1241.  {
    1242. 

  1242.  	par->net	= ctx->net;
    1243. 

  1243.  	par->table	= ctx->table->name;
    1244. 

  1244. -	switch (ctx->afi->family) {
    1245. 

  1245. +	switch (ctx->family) {
    1246. 

  1246.  	case AF_INET:
    1247. 

  1247.  		entry->e4.ip.proto = proto;
    1248. 

  1248.  		entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
    1249. 

  1249. @@ -440,7 +440,7 @@ nft_match_set_mtchk_param(struct xt_mtch
    1250. 

  1250.  	} else {
    1251. 

  1251.  		par->hook_mask = 0;
    1252. 

  1252.  	}
    1253. 

  1253. -	par->family	= ctx->afi->family;
    1254. 

  1254. +	par->family	= ctx->family;
    1255. 

  1255.  	par->nft_compat = true;
    1256. 

  1256.  }
    1257. 

  1257.  
    1258. 

  1258. @@ -523,7 +523,7 @@ __nft_match_destroy(const struct nft_ctx
    1259. 

  1259.  	par.net = ctx->net;
    1260. 

  1260.  	par.match = match;
    1261. 

  1261.  	par.matchinfo = info;
    1262. 

  1262. -	par.family = ctx->afi->family;
    1263. 

  1263. +	par.family = ctx->family;
    1264. 

  1264.  	if (par.match->destroy != NULL)
    1265. 

  1265.  		par.match->destroy(&par);
    1266. 

  1266.  
    1267. 

  1267. @@ -754,7 +754,7 @@ nft_match_select_ops(const struct nft_ct
    1268. 

  1268.  
    1269. 

  1269.  	mt_name = nla_data(tb[NFTA_MATCH_NAME]);
    1270. 

  1270.  	rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV]));
    1271. 

  1271. -	family = ctx->afi->family;
    1272. 

  1272. +	family = ctx->family;
    1273. 

  1273.  
    1274. 

  1274.  	/* Re-use the existing match if it's already loaded. */
    1275. 

  1275.  	list_for_each_entry(nft_match, &nft_match_list, head) {
    1276. 

  1276. @@ -845,7 +845,7 @@ nft_target_select_ops(const struct nft_c
    1277. 

  1277.  
    1278. 

  1278.  	tg_name = nla_data(tb[NFTA_TARGET_NAME]);
    1279. 

  1279.  	rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV]));
    1280. 

  1280. -	family = ctx->afi->family;
    1281. 

  1281. +	family = ctx->family;
    1282. 

  1282.  
    1283. 

  1283.  	if (strcmp(tg_name, XT_ERROR_TARGET) == 0 ||
    1284. 

  1284.  	    strcmp(tg_name, XT_STANDARD_TARGET) == 0 ||
    1285. 

  1285. --- a/net/netfilter/nft_ct.c
    1286. 

  1286. +++ b/net/netfilter/nft_ct.c
    1287. 

  1287. @@ -405,7 +405,7 @@ static int nft_ct_get_init(const struct
    1288. 

  1288.  		if (tb[NFTA_CT_DIRECTION] == NULL)
    1289. 

  1289.  			return -EINVAL;
    1290. 

  1290.  
    1291. 

  1291. -		switch (ctx->afi->family) {
    1292. 

  1292. +		switch (ctx->family) {
    1293. 

  1293.  		case NFPROTO_IPV4:
    1294. 

  1294.  			len = FIELD_SIZEOF(struct nf_conntrack_tuple,
    1295. 

  1295.  					   src.u3.ip);
    1296. 

  1296. @@ -456,7 +456,7 @@ static int nft_ct_get_init(const struct
    1297. 

  1297.  	if (err < 0)
    1298. 

  1298.  		return err;
    1299. 

  1299.  
    1300. 

  1300. -	err = nf_ct_netns_get(ctx->net, ctx->afi->family);
    1301. 

  1301. +	err = nf_ct_netns_get(ctx->net, ctx->family);
    1302. 

  1302.  	if (err < 0)
    1303. 

  1303.  		return err;
    1304. 

  1304.  
    1305. 

  1305. @@ -550,7 +550,7 @@ static int nft_ct_set_init(const struct
    1306. 

  1306.  	if (err < 0)
    1307. 

  1307.  		goto err1;
    1308. 

  1308.  
    1309. 

  1309. -	err = nf_ct_netns_get(ctx->net, ctx->afi->family);
    1310. 

  1310. +	err = nf_ct_netns_get(ctx->net, ctx->family);
    1311. 

  1311.  	if (err < 0)
    1312. 

  1312.  		goto err1;
    1313. 

  1313.  
    1314. 

  1314. @@ -564,7 +564,7 @@ err1:
    1315. 

  1315.  static void nft_ct_get_destroy(const struct nft_ctx *ctx,
    1316. 

  1316.  			       const struct nft_expr *expr)
    1317. 

  1317.  {
    1318. 

  1318. -	nf_ct_netns_put(ctx->net, ctx->afi->family);
    1319. 

  1319. +	nf_ct_netns_put(ctx->net, ctx->family);
    1320. 

  1320.  }
    1321. 

  1321.  
    1322. 

  1322.  static void nft_ct_set_destroy(const struct nft_ctx *ctx,
    1323. 

  1323. @@ -573,7 +573,7 @@ static void nft_ct_set_destroy(const str
    1324. 

  1324.  	struct nft_ct *priv = nft_expr_priv(expr);
    1325. 

  1325.  
    1326. 

  1326.  	__nft_ct_set_destroy(ctx, priv);
    1327. 

  1327. -	nf_ct_netns_put(ctx->net, ctx->afi->family);
    1328. 

  1328. +	nf_ct_netns_put(ctx->net, ctx->family);
    1329. 

  1329.  }
    1330. 

  1330.  
    1331. 

  1331.  static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
    1332. 

  1332. @@ -734,7 +734,7 @@ static int nft_ct_helper_obj_init(const
    1333. 

  1333.  	struct nft_ct_helper_obj *priv = nft_obj_data(obj);
    1334. 

  1334.  	struct nf_conntrack_helper *help4, *help6;
    1335. 

  1335.  	char name[NF_CT_HELPER_NAME_LEN];
    1336. 

  1336. -	int family = ctx->afi->family;
    1337. 

  1337. +	int family = ctx->family;
    1338. 

  1338.  
    1339. 

  1339.  	if (!tb[NFTA_CT_HELPER_NAME] || !tb[NFTA_CT_HELPER_L4PROTO])
    1340. 

  1340.  		return -EINVAL;
    1341. 

  1341. @@ -753,14 +753,14 @@ static int nft_ct_helper_obj_init(const
    1342. 

  1342.  
    1343. 

  1343.  	switch (family) {
    1344. 

  1344.  	case NFPROTO_IPV4:
    1345. 

  1345. -		if (ctx->afi->family == NFPROTO_IPV6)
    1346. 

  1346. +		if (ctx->family == NFPROTO_IPV6)
    1347. 

  1347.  			return -EINVAL;
    1348. 

  1348.  
    1349. 

  1349.  		help4 = nf_conntrack_helper_try_module_get(name, family,
    1350. 

  1350.  							   priv->l4proto);
    1351. 

  1351.  		break;
    1352. 

  1352.  	case NFPROTO_IPV6:
    1353. 

  1353. -		if (ctx->afi->family == NFPROTO_IPV4)
    1354. 

  1354. +		if (ctx->family == NFPROTO_IPV4)
    1355. 

  1355.  			return -EINVAL;
    1356. 

  1356.  
    1357. 

  1357.  		help6 = nf_conntrack_helper_try_module_get(name, family,
    1358. 

  1358. --- a/net/netfilter/nft_flow_offload.c
    1359. 

  1359. +++ b/net/netfilter/nft_flow_offload.c
    1360. 

  1360. @@ -151,7 +151,7 @@ static int nft_flow_offload_init(const s
    1361. 

  1361.  	priv->flowtable = flowtable;
    1362. 

  1362.  	flowtable->use++;
    1363. 

  1363.  
    1364. 

  1364. -	return nf_ct_netns_get(ctx->net, ctx->afi->family);
    1365. 

  1365. +	return nf_ct_netns_get(ctx->net, ctx->family);
    1366. 

  1366.  }
    1367. 

  1367.  
    1368. 

  1368.  static void nft_flow_offload_destroy(const struct nft_ctx *ctx,
    1369. 

  1369. @@ -160,7 +160,7 @@ static void nft_flow_offload_destroy(con
    1370. 

  1370.  	struct nft_flow_offload *priv = nft_expr_priv(expr);
    1371. 

  1371.  
    1372. 

  1372.  	priv->flowtable->use--;
    1373. 

  1373. -	nf_ct_netns_put(ctx->net, ctx->afi->family);
    1374. 

  1374. +	nf_ct_netns_put(ctx->net, ctx->family);
    1375. 

  1375.  }
    1376. 

  1376.  
    1377. 

  1377.  static int nft_flow_offload_dump(struct sk_buff *skb, const struct nft_expr *expr)
    1378. 

  1378. --- a/net/netfilter/nft_log.c
    1379. 

  1379. +++ b/net/netfilter/nft_log.c
    1380. 

  1380. @@ -112,7 +112,7 @@ static int nft_log_init(const struct nft
    1381. 

  1381.  		break;
    1382. 

  1382.  	}
    1383. 

  1383.  
    1384. 

  1384. -	err = nf_logger_find_get(ctx->afi->family, li->type);
    1385. 

  1385. +	err = nf_logger_find_get(ctx->family, li->type);
    1386. 

  1386.  	if (err < 0)
    1387. 

  1387.  		goto err1;
    1388. 

  1388.  
    1389. 

  1389. @@ -133,7 +133,7 @@ static void nft_log_destroy(const struct
    1390. 

  1390.  	if (priv->prefix != nft_log_null_prefix)
    1391. 

  1391.  		kfree(priv->prefix);
    1392. 

  1392.  
    1393. 

  1393. -	nf_logger_put(ctx->afi->family, li->type);
    1394. 

  1394. +	nf_logger_put(ctx->family, li->type);
    1395. 

  1395.  }
    1396. 

  1396.  
    1397. 

  1397.  static int nft_log_dump(struct sk_buff *skb, const struct nft_expr *expr)
    1398. 

  1398. --- a/net/netfilter/nft_masq.c
    1399. 

  1399. +++ b/net/netfilter/nft_masq.c
    1400. 

  1400. @@ -73,7 +73,7 @@ int nft_masq_init(const struct nft_ctx *
    1401. 

  1401.  		}
    1402. 

  1402.  	}
    1403. 

  1403.  
    1404. 

  1404. -	return nf_ct_netns_get(ctx->net, ctx->afi->family);
    1405. 

  1405. +	return nf_ct_netns_get(ctx->net, ctx->family);
    1406. 

  1406.  }
    1407. 

  1407.  EXPORT_SYMBOL_GPL(nft_masq_init);
    1408. 

  1408.  
    1409. 

  1409. --- a/net/netfilter/nft_meta.c
    1410. 

  1410. +++ b/net/netfilter/nft_meta.c
    1411. 

  1411. @@ -341,7 +341,7 @@ static int nft_meta_get_validate(const s
    1412. 

  1412.  	if (priv->key != NFT_META_SECPATH)
    1413. 

  1413.  		return 0;
    1414. 

  1414.  
    1415. 

  1415. -	switch (ctx->afi->family) {
    1416. 

  1416. +	switch (ctx->family) {
    1417. 

  1417.  	case NFPROTO_NETDEV:
    1418. 

  1418.  		hooks = 1 << NF_NETDEV_INGRESS;
    1419. 

  1419.  		break;
    1420. 

  1420. @@ -372,7 +372,7 @@ int nft_meta_set_validate(const struct n
    1421. 

  1421.  	if (priv->key != NFT_META_PKTTYPE)
    1422. 

  1422.  		return 0;
    1423. 

  1423.  
    1424. 

  1424. -	switch (ctx->afi->family) {
    1425. 

  1425. +	switch (ctx->family) {
    1426. 

  1426.  	case NFPROTO_BRIDGE:
    1427. 

  1427.  		hooks = 1 << NF_BR_PRE_ROUTING;
    1428. 

  1428.  		break;
    1429. 

  1429. --- a/net/netfilter/nft_nat.c
    1430. 

  1430. +++ b/net/netfilter/nft_nat.c
    1431. 

  1431. @@ -142,7 +142,7 @@ static int nft_nat_init(const struct nft
    1432. 

  1432.  		return -EINVAL;
    1433. 

  1433.  
    1434. 

  1434.  	family = ntohl(nla_get_be32(tb[NFTA_NAT_FAMILY]));
    1435. 

  1435. -	if (family != ctx->afi->family)
    1436. 

  1436. +	if (family != ctx->family)
    1437. 

  1437.  		return -EOPNOTSUPP;
    1438. 

  1438.  
    1439. 

  1439.  	switch (family) {
    1440. 

  1440. --- a/net/netfilter/nft_redir.c
    1441. 

  1441. +++ b/net/netfilter/nft_redir.c
    1442. 

  1442. @@ -75,7 +75,7 @@ int nft_redir_init(const struct nft_ctx
    1443. 

  1443.  			return -EINVAL;
    1444. 

  1444.  	}
    1445. 

  1445.  
    1446. 

  1446. -	return nf_ct_netns_get(ctx->net, ctx->afi->family);
    1447. 

  1447. +	return nf_ct_netns_get(ctx->net, ctx->family);
    1448. 

  1448.  }
    1449. 

  1449.  EXPORT_SYMBOL_GPL(nft_redir_init);
    1450. 

  1450.  
    1451.